[Openid-specs-fapi] Dependencies on the OBE Registry
anders.rundgren.net at gmail.com
Thu Sep 24 06:38:09 UTC 2020
Having a central registry with TPPs seem natural until you are faced with the scaling issues.
There is presumably a limited set of National Competent Authorities (NCAs) which could be a logical foundation for a distributed registry.
To make this work each TPP request would contain a URL to an "Authority Record" hosted by its NCA.
Authority Records would preferably be signed by the NCAs and be updated on a periodic basis to cope with changes including blocking misbehaving TPPs.
In the long-run this could also eliminate the need for separately purchasing and managing eIDAS certificates; this would rather be an integral part of the NCA accreditation process. A TPP certificate issued by an NCA would only be useful for Open Banking.
Saturn uses this scheme but only publishes "certified signature (public) keys" in Authority Records since payments do not benefit from MTLS. Personally, I would consider shelving MTLS for the entire Open Banking system. FIDO shows that MTLS is not necessarily a necessity :)
More information about the Openid-specs-fapi